• Mehr als 3 Millionen Wörter Inhalt
  • |
  • info@itmedialaw.com
  • |
  • Tel: 03322 5078053
Rechtsanwalt Marian Härtel - ITMediaLaw

No products in the cart.

  • en English
  • de Deutsch
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Kurzberatung
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
Rechtsanwalt Marian Härtel - ITMediaLaw

Consent to privacy in e-commerce and SaaS: A breach of the GDPR?

1. June 2023
in Data protection Law, Law on the Internet
Reading Time: 5 mins read
0 0
A A
0
dsgvo 3589608 1280
Key Facts
  • Consent to the privacy policy could violate the GDPR and the principle of good faith.
  • The EDPB 's decision emphasizes the inadmissibility of obtaining consent in data protection declarations.
  • Obtaining consent without authorization can lead to significant legal consequences, including administrative sanctions.
  • Companies must regularly review and adapt their data protection declarations and terms of use.
  • Compliance with the GDPR protects customer trust and strengthens the company's reputation.
  • A breach of the GDPR can cause customer churn and reputational damage.
  • The GDPR requires continuous efforts and proactive measures for compliance.

Introduction

Content Hide
1. Introduction
2. The AGB-legal dimension
3. The decision of the European Data Protection Board and its legal details
4. The EDSA decision and its impact on online providers
5. The impact on e-commerce and SaaS providers
6. The role of the GDPR in the digital world
6.1. Author: Marian Härtel

In my work in the world of e-commerce and SaaS providers, it is a common practice to ask users to consent to the privacy policy. However, this seemingly harmless action could have profound legal consequences. Have you ever considered that this practice could be a violation of the General Data Protection Regulation (GDPR) and breach the principle of good faith?

In this blog post, I shed light on this complex and often overlooked topic. I refer to a recent, but possibly quickly overlooked, decision by the European Data Protection and Privacy Authority (EDSA) and discuss how it might affect the landscape of digital commerce.

The question I am asking is not just theoretical. It could have significant practical implications for the way e-commerce and SaaS providers design and present their privacy statements. It could even lead to the need to adapt store systems and marketing funnels to meet legal requirements.

This blog post is a must-read for anyone working in the digital economy who understands the importance of privacy compliance. Get ready to challenge your previous assumptions and take a fresh look at your company’s privacy policy.

The AGB-legal dimension

Obtaining consent to the privacy policy may result in the privacy policy being subject to strict control under GTC law. This may result in certain information in the privacy policy being judged as invalid clauses. In addition, there is a risk that such clauses could be subject to warnings as violations of competition law.

Pursuant to the judgment of the Court of Appeal of December 27, 2018 (23 U 196/13), certain clauses in the data protection declaration that unreasonably disadvantage customers and cannot be reconciled with essential basic ideas of the statutory regulation from which a deviation is made (Art. 6 (1) DSGVO) may be judged invalid (Section 307 (1) Sentence 1, (2) No. 1 BGB).

In particular, it was held that the mere unilateral promulgation of certain data processing practices by a clause user does not constitute consent of the data subject. Informing customers about data processing practices that the defendant allows itself and that its customers have to accept without being asked does not replace their consent. The argument that the Data Protection Directive at issue is not made the subject of consent, but merely referred to for information purposes, and that at no point in the provisions complained of by the plaintiff is there any mention of the consumer consenting to data processing, ultimately turns on them. This is precisely because the inadmissible deviation of the clauses from the statutory regulation lies in the fact that they give the consumer the incorrect impression that the defendant is entitled to process personal data without the consumer’s consent being relevant.

In addition, it was held that the use of clauses which give the customer the impression that he must accept them as a binding provision in the event of a dispute constitutes general terms and conditions within the meaning of Section 305 (1) of the German Civil Code. 1 sentence 1 BGB can apply. According to their objective wording, these clauses can only be understood as binding regulations of the existing contractual relationship or the contractual relationship to be initiated.

In light of the Kammergericht’s decision and the requirements of the European General Data Protection Regulation (GDPR), the question arises as to whether companies should require consents at all when using legal texts such as general terms and conditions (GTC) and privacy statements on online services. The stringent requirements for the effectiveness of such consents and the potential legal consequences of failing to comply with these requirements make it a complex and risky undertaking.

The decision of the European Data Protection Board and its legal details

The EDSA decision underlines the inadmissibility of obtaining consent in privacy notices and the possible violation of the GDPR, especially if the notice is merely an information notice under Art. 13 GDPR. This decision emphasizes the principle of good faith, which is intended to ensure a fair balance between the business interests of data controllers and the rights and requirements of data subjects. The decision highlights that the basic principles of processing listed in Article 5 of the GDPR may be violated, which may result in significant administrative penalties. In addition, the deadline for compliance with the decision was reduced from six months to three months.

The EDSA decision goes into the full legal details and emphasizes that the possibility to specifically consent to a certain processing falls under Article 6(1)(f) GDPR. It notes that WhatsApp users were forced to agree to the terms of service and privacy policy, which confused users’ expectations. WhatsApp’s processing cannot therefore be considered ethical and truthful, as it is confusing in terms of the type of data processed, the legal basis used and the purposes of the processing.

The EDSA decision and its impact on online providers

The decision of the European Data Protection Supervision Authority (EDSA) has far-reaching implications for the practices of online providers. In particular, WhatsApp’s practice of forcing users to agree to its terms of use and privacy policies has been criticized. The EDSA decision clarifies that this practice cannot be considered ethical and truthful, as it is confusing in terms of the type of data processed, the legal basis used and the purposes of the processing.

The decision also has implications for other online providers. It raises serious questions about the practices and user funnels of online providers and calls for a thorough review and adjustment of their privacy statements and terms of use. It is therefore important to emphasize that the implications of this decision may be far-reaching and that each case should be evaluated individually.

The impact on e-commerce and SaaS providers

Many e-commerce and SaaS providers have not yet fully recognized the potential legal issues associated with obtaining consent for their privacy policies. This practice may not only be problematic under GTC law, but may also constitute a violation of the GDPR itself. Therefore, it is important that providers reconsider this practice and adjust it if necessary. The legal explanations in the EDSA decision underline the need for clear and understandable consent to data processing. The mere unilateral announcement of certain data processing practices by a provider does not constitute consent of the data subject. Information about data processing practices that the provider allows itself and that its customers have to accept without being asked does not replace their consent. This may result in significant legal consequences, including administrative penalties.

It is therefore crucial that providers review their privacy statements and terms of use and ensure that they comply with the requirements of the GDPR. This includes providing clear and understandable information about data processing practices and obtaining explicit consent from users for data processing, when such consent is necessary in the given situation. In addition, providers should keep in mind that simply providing information about data processing practices is not sufficient to obtain user consent. You must ensure that users have the option to refuse consent and that this decision is respected.

Conversely, however, it is also true that consent should probably NOT be obtained for pure “information” on data processing or the manner of data processing without the GDPR stipulating consent.

The role of the GDPR in the digital world

In today’s digital world, the General Data Protection Regulation (GDPR) plays a crucial role. It serves to protect the privacy of citizens and to oblige companies to handle personal data responsibly. The GDPR has raised awareness of data protection issues and increased standards for handling personal data. The EDSA’s decision underscores the importance of the GDPR and shows that violations of this regulation can have serious consequences. It also shows that compliance with the GDPR is not only a legal obligation, but also an important aspect of building trust and credibility with customers.

A breach of the GDPR can not only lead to legal consequences, but also undermine customer trust in your company and damage your reputation. Therefore, it is in your best interest to ensure that you comply with the Privacy Policy.

It is important to emphasize that compliance with the GDPR is not just a matter of complying with the law. It is also about acting ethically and responsibly. Companies that respect and protect the privacy of their customers are likely to have a competitive advantage by gaining the trust and loyalty of their customers.

In conclusion, it is important to emphasize that compliance with the GDPR requires a continuous effort. Data protection is not a one-time event, but an ongoing process that requires regular reviews and adjustments. Organizations need to be proactive and ensure they are up to date with the latest data protection regulations and practices.

Marian Härtel
Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: AGBConsumerCourt of AppealCustomizationGeneral Data Protection RegulationGeneral Terms and ConditionsLawsmarketingPrivacyRegulationSaasWhatsapp

Weitere spannende Blogposts

Advocate General at the ECJ on the admissibility of cheat software

Lego brick still protected as a design patent
14. June 2024

Advocate General at the ECJ on the admissibility of cheat software For many years, I had the opportunity to accompany...

Read moreDetails

Legal form as an influencer? A few hints!

Legal form as an influencer? A few hints!
12. March 2019

Why a legal form as an influencer? It's been a little quieter about influencer marketing over the past month. However,...

Read moreDetails

Brexit and data protection, review contracts and service providers

ITMediaLaw: Http3 on Litespeed Server
7. November 2022

Earlier this year, I already warned about Brexit and data protection in this article. However, that was before the UK's...

Read moreDetails

Are trading apps allowed to restrict trading?

Are trading apps allowed to restrict trading?
7. November 2022

Attention: Due to the explosive nature of the current situation, this blog post must not be understood as concrete legal...

Read moreDetails

Office 365 in schools illegal under data protection law

Office 365 in schools illegal under data protection law
7. November 2022

1. preliminary remark For years, there has been a debate in Germany about whether schools can use Microsoft's Office 365...

Read moreDetails

Website operators are liable for data processing of like buttons

Facebook pages, data protection and August 1, 2019
29. July 2019

At the end of last year, I reported that the Advocate General of the ECJ had recommended that the ECJ...

Read moreDetails

Data protection because of Facebook scraping? Finally at the BGH!

BGH considers Uber Black to be anti-competitive
22. May 2024

The VI. Civil Senate, which is responsible for legal disputes regarding claims arising from the General Data Protection Regulation, will...

Read moreDetails

BaFin: Dark patterns in trading apps inadmissible

BaFin: Dark patterns in trading apps inadmissible
21. November 2022

BaFin clarifies in a current information letter that securities services companies are not allowed to use dark patterns in trading...

Read moreDetails

Federal Court of Justice on Influencer Advertising

Brief reminder: Influencer as target of warning letters
7. November 2022

The I. Civil Senate of the Federal Court of Justice today ruled in three proceedings on the question of whether...

Read moreDetails
Contractual regulations for no-code/low-code software development
Other

Contractual regulations for no-code/low-code software development

21. May 2025

No-code and low-code platforms enable rapid software development without extensive manual programming. Applications are increasingly being developed on the basis...

Read moreDetails
Erotic content on OnlyFans: Copyright and personality rights protection for creators

Erotic content on OnlyFans: Copyright and personality rights protection for creators

20. May 2025
Goodbye hustle culture? Startup life between 24/7 grind and work-life balance

Goodbye hustle culture? Startup life between 24/7 grind and work-life balance

19. May 2025
Startup buzzwords 2025: Bullshit bingo in marketing German Introduction: Bullshit bingo in marketing German

Startup buzzwords 2025: Bullshit bingo in marketing German Introduction: Bullshit bingo in marketing German

18. May 2025
From the metaverse boom to AI euphoria – a tech lawyer in the hype cycle

From the metaverse boom to AI euphoria – a tech lawyer in the hype cycle

17. May 2025

Podcastfolge

8ffe8f2a4228de20d20238899b3d922e

Web3, blockchain and law – a critical review

26. September 2024

  In this insightful episode of the ITmedialaw podcast, we take an in-depth look at the intersection of Web3, blockchain...

Read moreDetails
c9c5d7fd380061a8018074c2ca5a81bf

Startups and innovation in Germany – challenges and opportunities

26. September 2024
8315f1ef298eb54dfeed2f5e55c8b9da 1

First test episode of the ITMediaLaw Podcast

26. August 2024
d5ab3414c7c4a7a5040c3c3c60451c44

The metaverse – legal challenges in virtual worlds

26. September 2024
legal challenges when implementing confidential computing data protection and encryption in the cloud

Smart contracts and blockchain

15. January 2025

Video

My transparent billing

My transparent billing

10. February 2025

In this video, I talk a bit about transparent billing and how I communicate what it costs to work with...

Read moreDetails
Fascination between law and technology

Fascination between law and technology

10. February 2025
My two biggest challenges are?

My two biggest challenges are?

10. February 2025
What really makes me happy

What really makes me happy

10. February 2025
What I love about my job!

What I love about my job!

10. February 2025
  • Privacy policy
  • Imprint
  • Contact
  • About lawyer Marian Härtel
Marian Härtel, Rathenaustr. 58a, 14612 Falkensee, info@itmedialaw.com

Marian Härtel - Rechtsanwalt für IT-Recht, Medienrecht und Startups, mit einem Fokus auf innovative Geschäftsmodelle, Games, KI und Finanzierungsberatung.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
  • Informationen
    • Ideal partner
    • About lawyer Marian Härtel
    • Quick and flexible access
    • Principles as a lawyer
    • Why a lawyer and business consultant?
    • Focus areas of attorney Marian Härtel
      • Focus on start-ups
      • Investment advice
      • Corporate law
      • Cryptocurrencies, Blockchain and Games
      • AI and SaaS
      • Streamers and influencers
      • Games and esports law
      • IT/IP Law
      • Law firm for GMBH,UG, GbR
      • Law firm for IT/IP and media law
    • The everyday life of an IT lawyer
    • How can I help clients?
    • Testimonials
    • Team: Saskia Härtel – WHO AM I?
    • Agile and lean law firm
    • Price overview
    • Various information
      • Terms
      • Privacy policy
      • Imprint
  • Services
    • Support and advice of agencies
    • Contract review and preparation
    • Games law consulting
    • Consulting for influencers and streamers
    • Advice in e-commerce
    • DLT and Blockchain consulting
    • Legal advice in corporate law: from incorporation to structuring
    • Legal compliance and expert opinions
    • Outsourcing – for companies or law firms
    • Booking as speaker
  • News
    • Gloss / Opinion
    • Law on the Internet
    • Online retail
    • Law and computer games
    • Law and Esport
    • Blockchain and web law
    • Data protection Law
    • Copyright
    • Labour law
    • Competition law
    • Corporate
    • EU law
    • Law on the protection of minors
    • Tax
    • Other
    • Internally
  • Podcast
    • ITMediaLaw Podcast
  • Knowledge base
    • Laws
    • Legal terms
    • Contract types
    • Clause types
    • Forms of financing
    • Legal means
    • Authorities
    • Company forms
    • Tax
    • Concepts
  • Videos
    • Information videos – about Marian Härtel
    • Videos – about me (Couch)
    • Blogpost – individual videos
    • Videos on services
    • Shorts
    • Podcast format
    • Third-party videos
    • Other videos
  • Contact
  • en English
  • de Deutsch
Kostenlose Kurzberatung